OSINT
Last updated
Last updated
Project Scope
OSINTing of TheReserve's corporate website, which is exposed on the external network of TheReserve. Note, this means that all OSINT activities should be limited to the provided network subnet and no external internet OSINTing is required.
External (internet) OSINT gathering.
For OSINT as the Project Scope states only the provided network is in scope including the public-facing web server. On the web server, we will find a team page with usernames and pictures. Inspecting these shows that the image names include the full name and that the directory of the image's location has a directory listing. From there, all team members’ names can be gathered. Besides the usernames, an email address can be found on the contact page. With this information, a list of usernames and email addresses can be compiled.
With the given password base list the password policy and the restricted special characters, a wordlist will be created to use for brute force attacks on the login pages of the public-facing web servers.
On the Meet the Team page, usernames with pictures can be found. Some users have full names documented, others only the first name.
Looking at the page source, the pictures are located at /october/themes/demo/assets/images
.
Visiting the location shows that directory listing is active and all usernames with first and last names can be extracted.
Looking at the footer of the page, two more usernames can be discovered.
On the Contact Us page, an email is given to send a CV to the company. From this mail, we can derive several emails with the previously found usernames.
With the information gathered, we are able to craft a users.txt
wordlist.
users.txt
users_mail.txt
With the password base list, the policy and the restricted special characters, a wordlist will be created with john the ripper.
password_base_list.txt
password_policy.txt
The project brief provides some restricted special characters used required password policy.
!@#$%^
To generate a password list with the information gathered a rule to mangle the password base is required. To do so the john.conf
was extended by a custom rule.
sudo nano /opt/john/john.conf
Generate the password.txt
john --wordlist=base.txt --rules=RedTeam-Capstone --stdout > passwords.txt
Offline Attacks - Rule Based